iCTF 2011: Android Market Challenge

Not all applications on the Android market can be installed by all Android devices. More specifically, each Android device only allows the user to choose from the subset of applications that are considered suitable to be installed on that device. For example, if you visit the Android Market with your browser, you get a list of over 200 applications in the communications (top free) category. Using the Market on a Nexus One lists more then 100 Applications for that very same category. However, using the Android Market on the Android SDK simulator (API level 10, platform 2.3.3) only lists two applications. Give their names in alphabetical order separated by a comma.

SchoolCTF: Deadlamps

The Key Is superline. (Image taken down; http://blackbox.sibears.ru/uploads/6/school-ctf-2011-files/deadlamps.gif)

iCTF 2011 9x9 Choose Your Battles

SchoolCTF 2011: You just love this thing, right? Writeup

        The challenge “You just love this thing, right?” gives you a GNU/Linux EFL binary called “mazzze” (that’s contained within a gzip file called “mazzze.gz”). ‘mazzze’ is an ASCII game in which you must go through a ‘maze’ and get the combination to a safe that will give you the key. It begins with a help message and after you press return the actual game starts like this (the colors are for visibility):

Java Dynamic Instrumentation #2

        Continuing from Java Dynamic Instrumentation #1, this post will cover some more advanced features of the Javassist API.

Java Dynamic Instrumentation #1

        Instrumentation is the process of injecting code into a compiled program. In Java, this can be done statically and dynamically. Using static intrumentation, a class’ bytecode is modified and saved to disk; permanently modifying the class. With dynamic instrumentation, the class’ bytecode is modified in memory right before being loaded.

Gera's Insecure Programming Advance Buffer Overflow #3

This exercise is compiled on Debian 2.6.32 with NX and ASLR enabled. However, those
protections do not effect the difficulty of the exercise. Exploiting this challenge could have been performed with or without those protections.

Gera's Insecure Programming Advance Buffer Overflow #1 (ROP NX/ASLR Bypass)

After my last post, I decided to go straight into the Advance Buffer Overflow (ABO) section and practice more ROP. The first ABO exercise was a straight-forward buffer overflow.